So, we're creating a SaaS which deploys new sites to a subdomain.
I managed to setup a wildcard certificate with the command:
sudo certbot --nginx --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns -d *.domain.cloud
Is there a way I can do this without running this whole command again?
Solution with a problem: One option is to run the command with --non-interactive flag, but I need to choose Attempt to reinstall this existing certificate automatically. Otherwise I might quickly reach my daily limit renewing the certificate.
Problem: A problem I have with this option is that I have removed some subdomains in Cpanel and don't know how to remove them from the wildcard cert.
Some guidance on these two would be immensely appreciated!
So if I understand correctly, you're using certbot to install the already existing certificate into a new virtualhost? I'm guessing here, but probably because certbot initially also created the HTTPS virtualhost in the first place? My suggestions:
Just create the HTTPS virtualhost in nginx yourself instead of certbot. Shouldn't be too hard, right? Just create the HTTPS virtualhost with the SSL options pointing to the existing certificate and reload nginx.
There's nothing to remove from the wildcard certificate? The certificate contains just the hostname *.domain.tld, any subdomain added/present in cPanel doesn't magically show up in the certificate. Or maybe I don't understand you entirely?
I'm using a platform which already creates the virtual hosts. All I need is to use certbot to correctly change all the Non-SSL blocks to use the wildcard.
I've just learnt that I can do this with certbot install --nginx --cert-name domain.cloud
But how do I tell certbot to install over all the nginx server blocks when I add --non-interactive?
It seems an option called --reinstall exists, which is an alias for --keep-until-expiring. The latter name doesn't seem to inspire much confidence in the behaviour we require, but --reinstalldoes. So maybe it could work?
You reference "domain.cloud" and then use wildcard defined as "*.domain.cloud".
I must point out that by default "*.domain.cloud" will not cover the name "domain.cloud".
If you mean "SiteX.domain.cloud", then yes, the wilcard would cover that name.
Using certbot to simply install a cert should be a viable option to this request.
But I think you may need some more detail in that command line.
You need to specify: certbot install --nginx --cert-name {actual cert name - see: certbot certificates for name} -d {list of domains - keeping names to match those on one vhost}
[then repeat that command once for each vhost that needs TLS enabled]
EDIT: You may also need to include if you want it to redirect HTTP to HTTPS or not.
Think that through!
You are asking certbot to create one single file with each request.
So if that were to happen with one single call, it would catch all your FQDNs into one single vhost file - with one single document root location - serving the content from only one site.
What you want is to site back, click one button, and have something else do the work for you [a thousand times over].
Not knocking your groove - just saying if you want that to happen you will have to write some code to get the system to work for you.
Think:
do until no more vhosts:
get the next insecure vhost
create a secure version using certbot and variables.
loop d loop:
Please don't try putting all the FQDNs into one call.
If it happens to succeed, you will only end up with one vhost with a ton of alias names and likely break your nginx config in the process.
[I have doubts that it could even complete such an outrageous request - but nothing good would come of it if it would]
